Learning Android Forensics uses free open source tools to show you how to forensically recover data from Android devices. All of you, from beginners to experts, are encouraged to follow along with step-by-step directions to learn how to acquire and examine evidence and gain a deeper understanding of the Android forensic process. Commercial forensic tools typically give an examiner a button to press (commonly called the Find Evidence button). This book goes behind the scenes and shows what many of these tools are actually doing, giving you much deeper knowledge of how they work. Commercial forensic tools also frequently fail to recover data from third-party applications; there are simply too many apps available to write a tool that covers all of them. This book shows you how to manually analyze over a dozen popular applications. It teaches techniques and procedures for understanding data that can be carried over to analyzing almost any other application.
Chapter 1, Introducing Android Forensics, introduces mobile forensics, the general approach, and the challenges faced. This chapter also provides an overview of the Android architecture, security features, boot process, and so on.
Chapter 2, Setting Up an Android Forensic Environment, covers the steps to perform to get an established forensic setup to examine Android devices. This chapter also explains the use of ADB commands on the Android device.
Chapter 3, Understanding Data Storage on Android Devices, provides a detailed explanation of what kind of data is stored in the device, where it is stored, how it is stored, and details of the filesystems in which it is stored.
Chapter 4, Extracting Data Logically from Android Devices, covers various logical data extraction techniques using free and open source tools. The logical methods covered include ADB pull, ADB backup, ADB dumpsys information, and SIM card extractions. Bypassing device lock screens is also covered.
Chapter 5, Extracting Data Physically from Android Devices, demonstrates various physical data extraction techniques. Physical methods include dd and nanddump, as well as using netcat to write data to the examiner's computer. RAM and SD card imaging is also covered.
Chapter 6, Recovering Deleted Data from an Android Device, provides an overview on recovering data deleted from an Android device. This chapter explains procedures to recover data deleted from an SD card and also from a phone's internal storage.
Chapter 7, Forensic Analysis of Android Applications, covers forensic analysis of Android applications, data obfuscation methods used by popular applications, reverse engineering of Android applications, and the methods required for it.
Chapter 8, Android Forensic Tools Overview, explains various open source and commercial tools that are helpful during forensic analysis of Android devices.